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EXECUTIVE  SUMMARY 

DoD-Centric  and  Independent  Technology  Evaluation  Capability  (DITEC)  users  may  decide  that 
certain  capability  examinations  are  less  meaningful  for  them  than  others.  This  paper  introduces  a 
system  of  prioritizing  capability  tests  with  DITEC  and  an  algorithm  that  generates  a  weighted 
average  based  off  of  that  prioritization 
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1.  INTRODUCTION 

The  DoD-Centric  and  Independent  Technology  Evaluation  Capability  (DITEC)  allows  users  to 
perform  a  number  of  security  evaluations  of  their  computer  networks.  These  evaluations  take  place  at 
three  levels  (from  highest  to  lowest):  capability,  sub-capability,  and  sub-capability  element.  It  is 
entirely  conceivable  that  a  given  user  may  place  less  emphasis  (or  perhaps  none  at  all)  on  certain  test 
capabilities,  and  a  simple  arithmetic  mean  of  general  test  results  may  not  provide  meaningful 
analysis. 

A  solution  to  this  problem  is  to  institute  a  weighted  average,  but  this  begs  the  question  of  how  to 
assign  weights  to  the  capabilities  scored.  Proposed  is  a  6-level  ranking  structure  that,  given  10 
capability  tests,  would  lead  to  610  possible  UPD  combinations.  A  weighting  algorithm  is  proposed 
which  will  assign  weights  to  capability  tests  consistently,  based  on  the  users  prioritizations. 
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2.  DITEC  USER  PRIORITY  DESIGNATION  (UPD)  AND  UPD 

PROFILES 

DITEC  tests  10  capabilities,  and  so  the  user  must  prioritize  all  capabilities.  The  UPD  scheme 
gives  six  priority  levels:  0,  1,2,  3,  4,  5.  The  UPD  levels  are  as  follows: 

•  UPD=0:  No  priority 

•  UPD=1:  Minimal  priority 

•  UPD=2:  Low  priority 

•  UPD=3 :  Moderate  priority 

•  UPD=4:  High  priority 

•  UPD=5:  Top  priority 

All  capability  tests  must  be  assigned  a  UPD,  and  the  user  may  assign  multiple  capabilities  to  the 
same  UPD  Level.  Once  a  user  has  assigned  a  UPD  to  each  capability,  they  have  a  UPD  Profile 
P  =  ( pv..pxo).  Once  P  has  been  established  for  a  user,  weights  must  be  assigned  to  fit  that  specific 
set  of  priorities. 
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3.  A  FUNCTION  ASSIGNING  WEIGHTS  BASED  ON  P 


Recall  that  a  weighted  average  is  a  set  of  discrete  numbers  {xv..xn}  and  weights  { vv’ . . .  wn } 
such  that 

n  n 

(x)  =  YJxiw,  and^w,.  =1. 

i= 1  i=\ 

Weighted  averages  are  often  used  in  computing  final  grades  in  a  class,  and  in  determining  atomic 
mass  for  the  periodic  table  of  elements  [1].  In  the  present  case,  the  analogy  to  calculating  final  grades 
for  a  class  is  more  relevant.  A  professor  has  a  semester  class  with  two  mid-term  exams,  a  final  exam, 
five  quizzes,  ten  homework  assignments,  and  attendance  grades.  It  seems  natural  that  the  quizzes 
should  have  less  impact  on  a  student's  overall  grade  than  the  exams,  while  homework  may  still  have 
a  different  impact  than  the  quizzes  or  the  exams. 

For  every  UPD  Profile  P  there  is  a  corresponding  Weight  Profile  W  =  { vv, . . .  wn  \  and  a  function 
/  :  P  — >  W  mapping  UPD  level  i  I— »  vv; .  The  weights  u;  e  [0, 1]  n  □  and  /  must  satisfy  the 
following  conditions: 

•  /(0)  =  0 :  This  allows  the  user  to  compute  weighted  averages  that  do  not  take  unneeded 
capabilities  into  account. 

•  /(0)  =  0<  /(1)<  /(2)<  /(3)<  /  (4)  <  /(5)  <  1 :  Each  UPD  level  is  weighted  higher 
than  the  preceding  UPD  level  and  lower  than  the  subsequent  UPD  level.  Capabilities  at  the 
same  UPD  level  have  the  same  weight. 

•  l  =  y.w.  This  is  simply  satisfying  the  requirement  that  the  sum  of  all  weights  is  1 . 
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4.  A  DESCRIPTION  OF  A  WEIGHTING  FUNCTION  / 


DITEC  has  ten  capability  tests  at  the  highest  level  and  the  UPD  framework  allows  each  capability 
to  have  one  of  six  priority  designations,  meaning  that  there  are  6 10  possible  UPD  Profiles.  Certainly, 
there  will  be  cases  where  certain  UPD  profiles  may  be  equivalent  for  the  purposes  of  the  weighting 
function.  There  are  also  UPD  profiles,  which  are  unlikely  to  be  chosen,  e.g.  a  UPD  profile  with  each 
pi  =  0 .  It  would  be  unnecessarily  costly  to  store  a  database  of  all  possible  UPD  and  weight  profiles 
and  so  a  weighting  function  /  is  proposed  that  distributes  weights  in  proportion  to  how  each  UPD 
level  is  distributed  in  P  .  Moreover,  /  should  be  similarly  implementable  at  the  sub-capability  and 
sub-capability  element  levels,  each  of  which  will  have  different  numbers  of  tests. 

The  weighting  function  /  can  be  visualized  geometrically  as  equally  partitioning  a  line  segment, 
taking  away  a  partition  plus  some  extra,  equally  repartitioning  the  remaining  line  segment  and 
repeating  the  process.  The  following  sketch  does  not  apply  in  the  case  that  all  capabilities  are  given 
the  same  UPD.  In  particular,  suppose  that  for  a  particular  P  there  are  n>  1  UPD  levels.  Denote  the 

initial  remaining  weight  as  I  =  1  and  partition  1 0  equally  into  n  pieces  such  that  j  =  — .  Take  the 

n 

first  weight  to  be  j  +  j1  .The  remaining  weight  is  I  ,  =!-(/  +  j2  j .  Now  partition  I ,  equally  into 

n-1  pieces  where  (n  - \)-k  =  I  x  and k  =  ^  1  .  Take  the  second  weight  to  be  k  +  k2 .  The 

n-l 

remaining  weight  is  \  2  =  \  x-[k  -\- k2^ .  And  so  on. 
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5.  AN  EXAMPLE  OF  THE  UPD  WEIGHTING  FUNCTION  / 

Suppose  a  UPD  profile  P  in  which  ten  capabilities  are  distributed  among  all  six  UPD  levels,  as 
shown  in  Table  1.  Note  that  capabilities  are  numbered  1  through  10  rather  than  named  in  this 
example.  The  distribution  of  capabilities  among  the  UPD  levels  is  arbitrary  and  not  terribly  important 

except  that  we  need  to  know  how  many  UPD  levels  not  equal  to  0  are  in  a  given  P  ,  in  this  case  all 
five  levels  where  UPD  does  not  equal  0  are  present. 


Table  1.  Example  UPD  Level  Designation 


Capability 

UPD 

1 

1 

2 

0 

3 

2 

4 

3 

5 

1 

6 

5 

7 

3 

8 

4 

9 

5 

10 

5 

We  denote  the  weight  at  each  step  as  w. .  Therefore  we  take  n  =  5,  1 0  =  1 ,  and  j  =  ^ .  The  first 


weight  is: 


.  .2  1 

Wl  =J+J  =~  + 


rn 

v5y 


=  —  =  0.24 
24 


19  19  19 

The  remaining  weight  after  calculation  of  w,  is  I,  =  L  -  w,  =  — .  Now  take  4k  =  — ,  then  k  = - 

1  1  0  1  25  25  100 


and  the  second  weight  is: 


7  7  7  19 

w.  =k+k  = - + 

2  100 


f  19  A 


V100y 


2261 

10000 


=  0.2261 


5 


5339  5339 

After  two  iterations  the  remaining  weight,  w  ,  is  I  =  I ,  -w  = _ .  Now  take  3/  = _ ,  then 


10000 


10000 


5339 

/  = - and  the  third  weight  is: 

30000 


_ / _i_  /2 _  5339 

w,  —  1  +  1  — - 

3  10000 


5339 

10000 


V 


188674921 

900000000 


=  0.209638801 


291835079 

After  three  iterations  the  remaining  weight,  w4,  is  h  =  h  -  vv’3  = - - .  This  means  we  have 


900000000 


,  r  ,  .  ,  r  ,  .  XT  ,  „  188674921  , 

assigned  values  lor  three  weights,  so  two  ol  them  remain.  Now  take  2 m  - - ,  then 


900000000 


188674921  ,  ,  _  , 

m  = - and  the  tourth  weight  is: 

1800000000 


2  188674921 

w,  =  m+m  = - + 

4  1800000000 


188674921 

V  1800000000 j 


610470855534936241 

3240000000000000000 


=  0.1884169307 


After  four  iterations  the  remaining,  and  final,  weight,  w ,  which  makes  calculation  much  simpler. 
The  fifth  weight  is: 


w. 


=  I4  =  I3 


■w. 


440135428865063759 

3240000000000000000 


0.135844268168229555246913580. 


Table  2  summarizes  the  UPD  levels  designations  for  each  of  the  capabilities  in  the  example,  as 
well  as  the  calculated  weight  for  each  of  them. 

Table  2.  Summary  of  Example  UPD  Levels  and  Weights 


UPD 

Capability 

Weight  # 

Weight  Value 

0 

2 

0 

0 

1 

1,  5 

W5 

0.135844 

2 

3 

W4 

0.18841 

3 

4,  7 

W3 

0.20963 

4 

8 

W2 

0.2261 

5 

6,  9,  10 

wl 

0.24 

After  two  or  three  iterations  of  our  weighting  function  / ,  the  fractions  do  get  to  a  size  that  would 
be  difficult  for  a  person  to  calculate,  but  this  is  a  trivial  matter  for  a  computer.  It  is  clear  that  / 
satisfies  the  conditions  set  earlier.  This  weighting  function  /  works  irrespective  of  how  many 
capabilities  are  at  the  level  being  tested  or  how  many  capabilities  are  at  a  given  UPD  level.  Thus  it 
should  be  implementable  at  any  level  for  analysis. 
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6.  AN  ALGORITHM  FOR  / 


1 .  Begin  / . 

2.  If  there  is  only  one  UPD  level,  all  tests  are  equally  weighted. 

3.  Else,  if  there  are  multiple  UPD  levels: 

4.  Define  1 0  =  1 

5 .  Define  n  :=  the  number  of  UPD  levels 

6.  For  i  >  1 ,  define  jt  =  — — 

n-i  + 1 

7.  For  i  >  1 ,  define  w,  =  jt  +  j] 

8.  For  i  >  1 ,  define  I .  =  I  (._j  -  wt 

9.  While  n-i  +  \>2  ,  compute  j.,wi,\i 

10.  If  n  —  i  + 1  =  1,  Wj  =  I  j_2  ~  wt_x 

1 1 .  End  /  when  n  —  i  + 1  =  0 
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